Formal auditing processes began to be implemented with industrial evolution as method for detecting fraud and establishing financial accountability. The financial sector, particularly after the development of stock markets, was the great promoter for establishing formal and regular audits procedures mainly to provide investors information that they could trust.
Relatively to food safety audits, although HACCP has been introduced by Codex Alimentarius back in the 1969 it was considered that this Code of practice was not auditable. It was only with the surge of Food Safety Standards at the end of last century that food safety audits become common. As any other audit, food safety audits involve interviews and documentation review to access compliance with a specific set of standards. A food safety audit focuses on gathering information about a food business to identify any areas of potential improvement in the business’s food safety processes and systems, also identifying areas of the business that have deficiencies and the appropriate action to correct any deficiencies.
In a previous article, published in Quality Progress Magazine (American Society for Quality flagship publication), about the challenges surrounding unannounced audits of food safety standards, you can read more about the drivers and some controversy around food safety audits and also the role that GFSI (Global Food Safety Initiative) has been playing on it.
ISO 19011:2011 – Guidelines for auditing management systems defines audit as: “A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”. Common trait of the different types of auditing is the purpose of check and review in order to improve. The results include a summary of the objectives, reason for conducting review, individuals involved, list of recommendations, list of areas and proposals for improvement.
What is the need of an audit for your system or organization?
Audit provides the opportunity for a second set of eyes. It provides the information needed to ascertain whether the system is operating effectively or if any changes need to be made. There are several types of audits from which the organization may choose according with their own objectives. Below is present a brief description of the most common.
Process audit
Audit of selected process within the management system to assess its inputs, methods and resources against the applicable requirements.
Product audit
An independent inspection or test of the product to ensure specifications are met and the system produces the desired result.
System audit
When an audit is conducted to verify if an organization has a well-documented and implemented system in agreement with specified requirements
Internal audits
Internal audits are often called First Party Audit. This is when someone from the organization itself will audit a process or set of processes to ensure it meets the procedure that the company has specified. This person can be an employee of the organization or someone hired by the organization to perform the internal audits. These audits will be credible when first party auditor is genuinely independent and free to bias. If you decide to use first party auditors to make a self-declaration of compliance, make sure that they aren’t auditing their own work
These audits can and should be much more in depth than the other audits, since this is one of the best ways for a company to find areas to improve upon.
External Audits
Second Party
External Audits are performed on a supplier by a customer or by a contracted organization to ensure that they are meeting the requirements specified in the contract. These audits tend to be more stressful to the auditee since it can condition the customers’ buying decisions.
It is important to understand that a second-party audit is between the customer and the supplier and has nothing to do with becoming certified.
Third Party
These audits are performed by an independent organization that should be free of any conflict of interest regarding the clients/customer relationships. The independence of the auditor is a core principle for these audits, since this is the only way to maintain confidence on it whatever the audit outcome may be.
Joint audit
When two or more auditing organizations cooperate to audit a single organization. At the end a single audit report is produced.
Combined audit
When two or more management systems of different disciplines are audited together, at the same time. This option can reduce audits cost and duration.
“Why following the rules?”
Rules help making audits an effective and reliable tool in support of management policies by providing information on which an organization can act in order to improve its performance. Adherence to these rules is a prerequisite for providing audit conclusions that are relevant and sufficient and enable auditors, working independently from one another, to reach similar conclusions.
ISO 19011 is a standard that provides guidance on how to audit management systems (internal or external audits). This standard in currently under revision and the new version is expected to publish in April 2018. One of the changes that is already known is the introduction of the seventh audit principle – Risk-based approach. A brief description of the audits’ principles according ISO 19011 standard is presented below.
I. Integrity: the foundation of professionalism
Auditors should perform their work with honesty, diligence, and responsibility in an impartial manner, i.e. remain fair and unbiased in all their dealings.
II. Fair presentation: the obligation to report truthfully and accurately
Audit findings, audit conclusions and audit reports should reflect truthfully and accurately the audit activities. The communication should be truthful, accurate, objective, timely, clear and complete.
III. Due professional care: the application of diligence and judgement in auditing
Auditors should exercise due care in accordance with the importance of the task they perform and the confidence placed in them by the audit client and other interested parties. The auditor must have the ability to make reasoned judgements in all audit situations.
IV. Confidentiality: security of information
Auditors should exercise discretion in the use and protection of information acquired in the course of their duties. It includes the proper handling of sensitive or confidential information.
V. Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions.
Auditors should be independent of the activity being audited wherever practicable, and should in all cases act in a manner that is free from bias and conflict of interest. For internal audits, auditors should be independent from the operating managers of the function being audited.
VI. Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process.
Audit evidence should be verifiable. It will in general be based on samples of the information available, since an audit is conducted during a finite period of time and with finite resources. An appropriate use of sampling should be applied, since this is closely related to the confidence that can be placed in the audit conclusions.
VII. Risk-based approach: an audit approach that considers risks and opportunities.
This risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit programme objectives.
Skills and techniques
A benchmarked auditor cannot exist, because as any Human being, the Auditor has a unique set of characteristics. However, some of the processes used by certification bodies to calibrate auditors can help in developing the skills.
Have you got what it takes to be a good auditor? Strong technical and ethical characteristics are fundamental to audit success.
Auditing is a complex process which involves many different skills and responsibilities. Also, in the current environment, the auditor continues to face ever-increasing demands because of regulation and client expectations. At one end of the spectrum, the auditor has the pressure to sufficiently document the work performed and on the other end, the auditor faces the pressure to get the work done on time. These pressures can cause auditors to fall into the “complete the task” trap, giving them the illusion that it is possible to get the job done on time and the audit opinion be correct. The balance of both has to be maintained and for this to be possible there are characteristics of an auditor that are essential to audit success.
So here are some of the techniques one can grasp:
1. Diplomatic
Being tactful will make your job easier and produce a factual report. The auditor must be tactful in dealing with people, particularly time wasters. While your report must be accurate and factual, make sure you include Positive Points also where possible.
2. Good communicator
Communication skills allow auditors to have connection with others. The technological world in which we live today can negatively impact the audit staff’s ability to become an effective communicator, especially when e-mail becomes a substitute for face-to-face communication with audit clients. A good auditor recognizes the importance of face to-face communication and strives to make it the primary mode of communication. Clients want to talk to the auditor, and the better the auditor is at effective communication, the better the conversation is with the client. Effective communication occurs when the client understands exactly what you are saying. Achieving this is not easy but once achieved, it will set you apart from the rest.
3. Leadership
Great leaders have the desire to help others succeed.
Henry Ford said, “Don’t find fault, find a remedy.”
This statement is a classic in the context of leadership; leaders find solutions, they do not place blame. An auditor that is a leader finds solutions to complex problems at the client and has the ability and skill to assist in getting the solutions implemented. A good auditor must strive to become a successful leader.
4. Good listener
Personnel are often quite defensive when being interviewed about their tasks, so putting them at ease is an essential requirement.
The most often overlooked skill is listening. Listening seems like a simple concept, but few do it well. Many auditors listen to hear the answer they want to hear rather than to listen for understanding. When the client answers, the auditor must “listen” completely; missing one small piece can cause them to miss the message entirely.
5. Decisive
Reaching timely conclusions based on logical reasoning and analysis. Decision-making can be hard. In most situations a decision involves some conflict or tradeoff. The challenging part is to select the best given information that you have gathered to assist with the decision.
Audits historically started in a time of crisis and with the objective of controlling if banks were following rules after the Great Depression. Until today I believe that in the back of people’s minds audits still have this negative charge of someone controlling another. This can explain how so few organizations use internal audits as a regular source of self-assessment, instead of simple preparation for an external audit. In food industry the major drive for the exponential growth of audits was external to organizations and due to retailers’ second party audits or third-party audits (most probably to obtain/maintain certification requested by clients). The introduction of Unannounced audits programs in food safety schemes is a step in the right way, encouraging organizations to implement, maintain and monitor (audit) their food safety system based on a daily-approach and not in an external audit-approach.